Presented at GEO London 2015: Launching and operating an employee share plan globally is complex. When asked about some of the most challenging aspects of a launch, data privacy is often at the top of the list. Over 100 countries now have data privacy laws; this is no longer a topic to be taken lightly, or worse — ignored. In March 2014, the European Parliament took the next step in the process of reforming the EU data protection regime. The prospect of large fines up to 5% of global turnover is expected to bring data privacy issues into sharp focus for companies who may have previously taken a light touch approach to compliance in this area. This session will cover the essential data privacy rules in the context of employee incentive plans. Expert panelists from Linklaters, Solium and Outotec will discuss whether data consents are necessary, share the most practical way of getting them and provide answers to managing different data privacy rules in different countries.

1. Data Privacy Compliance. Why? How?
Julian Cunningham-Day, Linklaters
Pekka Hukkanen, Outotec
Mike Pewton, Solium GSP
Nancy Price, Linklaters

2. Agenda
• Why is data privacy relevant for incentives?
• What does data privacy law protect?
• Who is subject to the law?
• What does it mean in practice for your plan?
• A company’s experience - Outotec
• How to be compliant – globally

3. Why is data privacy relevant for incentives?
• Over 100 countries now have data privacy laws
• Wide ranging – not just for incentives
• Publicity and penalties
• Consider in context of employment relationship
• Involvement of third parties
• Global: more countries = more complexity
• Practical compliance - can’t you just get
consent?

4. Why do we have data protection laws?
1950:
European
Conven-on
on
Human
Rights
(Ar-cle
8,
Right
to
Privacy)
1981:
Conven-on
for
the
Protec-on
of
Individuals
with
regard
to
Automa-c
Processing
of
Personal
Data
1995:
EU
Direc-ve
on
the
protec-on
of
individuals
with
regard
to
the
processing
of
personal
data
and
on
the
free
movement
of
such
data
2002:
EU
Direc-ve
on
the
processing
of
personal
data
and
the
protec-on
of
privacy
in
the
electronic
communica-ons
sector
2012:
Proposed
new
Regula-on
to
reform
the
EU
data
protec-on
regime

5. What does the law protect?
“Personal data processed by a data controller”
• Data relating to a living individual who can be identified
from the data
• Examples:
Ø register of share plan participants
Ø details of ex-employees and consultants
Ø contact details of employees, bank account details
• Separate category of sensitive personal data
Ø Health, racial/ethnic origin, religion

6. Who is subject to the law?
Ø data controller determines “how” and “why”
personal data is processed
Ø data processor processes personal data on
behalf of a data controller under a written
contract
Grantor
Administrator
Broker
Regulator

7. Principle based regulation ....
1. Fair and lawful processing
2. Processing for specified purposes only
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Kept no longer than necessary
6. Rights of the data subject
7. Appropriate security
8. International transfers of personal data

8. Key Principles
The following are key for incentive plans:
Ø Fair and lawful processing
Ø Rights of individuals
Ø Data security/Data processors
Ø Trans-border dataflow
Ø Regulatory notifications

9. Key principles
Transparency
• What
data
• Who
has
access?
• Where?
• Why?
Fair
and
lawful
• Propor-onate?
• Consent?
• Legi-mate
interests?
Staff
rights
• Access
• Objec-on
• To
be
forgoSen

10. Spotlight on data exports
Issue: International Transfers of data. Additional restrictions
apply when data is exported
Routes for
International
Data Transfers
Consent Contractual
Necessity
The Model
Contracts
A Custom
Contract
An Approved
Destination
U.S. Safe
Harbor
Binding
Corporate
Rules
Presumption
of Adequacy

11. How is the law enforced?
Naming
and
shaming
Public
opinion
Audit/
Fines
Cease
and
Desist
Private
Claims

12. International harmonisation?
EU - Minimum harmonisation
• Directive based, so many similarities between Member States…
Ø …but national variations exist in different implementation,
interpretation and enforcement
• Proposals to reform European data protection laws shortly
Ø Introduction of a single EU-wide data protection law via a Regulation
Ø Stringent obligations including mandatory appointment of data
protection officers
Ø Increased emphasis on accountability and “privacy by design”
Ø Extra-territorial effect
Ø Mandatory breach notification
Ø Fines of up to 5% of annual worldwide turnover

13. International harmonisation?
• Rest of the world
Ø Now over 100 jurisdictions with developed privacy
regimes
Ø Many based on European model
Ø Australia – new set of 13 Australian Privacy Principles
Ø Singapore – new Personal Data Protection Act
Ø Russia – expected new data localisation law (requires
the personal data of Russian citizens to be stored in
databases in Russia)

14. Practical issues for incentive plans
• How do these issues affect a company operating
a global plan at various stages
Ø Pre-invitation
Ø Initial invitation
Ø Making awards
Ø On vesting of awards
Ø Selling shares

15. Pre-invitation
• Ensure 3rd party agreements in place
• Review legal compliance
• Obtain data permits
• Make data protections filings/notifications

16. Initial invitation
• Obtain consent for mailing
Ø Third party mailing
Ø Direct mailing
• Ensure 3rd party agreements respected
• Review data requests
• Review consent procedure and ensure
early consent

17. Making awards
• Follow established procedure
• Record the required information only
• Ensure testing and adequacy of record
keepers
Ø Internally
Ø Externally

18. Vesting/exercise of awards
• Review vesting exercise data flow
• Clean records

19. Re-invitation
• Can you rely on previous Data Protections
Ø Follow same procedure
Ø Do not “flip” information
Ø Review drop outs and amend data accordingly

20. • Outotec provides leading technologies and services for
the sustainable use of Earth’s natural resources
• As the global leader in minerals and metals processing
technology, we have developed many breakthrough
technologies over the decades for our customers in
metals and mining industry
• We also provide innovative solutions for industrial
water treatment, the utilization of alternative energy
sources and the chemical industry
• Outotec shares are listed on NASDAQ OMX Helsinki
Outotec in brief
The
3rd
most
sustainable
company
Experts
of
over
60
na@onali@es
R&D,
sales
and
service
centers
in
27
countries
Deliveries
to
more
than
80
countries
Net
sales
1.4bn
EUR
in
2014

21. Objectives for ESSP
• Share the success that employees build together
• Support Outotec values & create One Outotec culture
• Achieve a participation rate > 20%
Russia
70
Australia
400
Brazil
450
Canada
230
Chile
390
Germany
550
Netherlands
10
Finland
1,500
Sweden
250
Norway
10
South-­‐Africa
200
India
100
UK
5
USA
150
Mexico
35
Zambia
20
Peru
80
Ghana
5
UAE
2
China
130
Kazakhstan
20
Indonesia
2

22. The Plan: O’Share
• Offer: buy 2 shares, get 1 free
• 1st year promotion: buy 1, get
1 free
• Target group: All employees –
Participation voluntary
• Earning potential: same for
everyone
• Link to top management LTI:
LTI conditional on O’Share
participation

23. Extensive
marke-ng
campaign
&
branding
Face-­‐to-­‐face
employee
events
Transla-ons
into
6
languages
Web-­‐based
communica-on
Challenges
Over 20 different countries & cultures
Data
Privacy
issues

24. Issues
• First saving period 2013:
– Easy to administer vs. legally bulletproof?
– Risk of reducing take up if too complex?
• Next saving periods 2014 onwards:
– Who to handle existing and new participants?

25. Process
• We chose active data consent option:
– Consent from all employees allowing Outotec
to transfer data to administrator
• Invitation to sign-up was sent only to
those who gave consent
– 2014 onwards consent ask again from
everybody excluding participants
• Further acceptance on portal for data
consent

26. • Over 1,500 participants in almost 20 countries around the world
• Take-up >33%
China
18%
Australia
30
%
Brazil
12
%
Canada
22%
Chile
9%
Germany
25
%
Netherlands
55%
Finland
52%
Sweden
55
%
Norway
63%
South-­‐Africa
30
%
India
30
%
UK
80%
USA
23
%
Mexico
79
%
Global take-up 34%
• Over
1,500
par-cipants
in
nearly
20
countries
• 2014
take-­‐up
33%
and
2015
27%
-­‐
in
challenging
business
situa-on
Peru
25%
Zambia
33%
UAE
100%

27. Tips for global compliance
ü Country due diligence review
ü Undertake regulatory notifications and check they remain
accurate and valid
ü Give employees information on processing activities
ü Obtain employees’ consent
ü Have a compliant contract with the administrator
ü Ensure all data transfers are compliant
ü Check data is accurate and deleted if no longer needed
ü Only process sensitive personal data for justified purposes

28. Thank You
Julian Cunningham-Day
Linklaters
julian.cunningham-
day@linklaters.com
Mike Pewton
Solium GSP
mike.pewton@solium.com
Pekka Hukkanen
Outotec
pekka.hukkanen@outotec.com
Nancy Price
Linklaters
nancy.price@linklaters.com